Debian 11: DLA-4352-1 python-authlib Important Security Threats
debian lts
October 29, 2025
Multiple vulnerabilities have been found in python-authlib, a Python library for OAuth and OpenID Connect servers
Topics Covered
Summary
Multiple vulnerabilities have been found in python-authlib, a Python
library for OAuth and OpenID Connect servers.
CVE-2024-37568
Unless an algorithm is specified in a jwt.decode call, HMAC verification
is allowed with any asymmetric public key.
CVE-2025-59420
Authlibâs JWS verification accepts tokens that declare unknown critical
header parameters (crit), violating RFC 7515 âmustâunderstandâ semantics.
An attacker can craft a signed token with a critical header that strict
verifiers reject but Authlib accepts. In mixedâlanguage fleets, this
enables splitâbrain verification and can lead to policy bypass, replay,
or privilege escalation.
CVE-2025-61920
Authlibâs JOSE implementation accepts unbounded JWS/JWT header and
signature segments which can lead to a DoS during verification.
CVE-2025-62706
Authlibâs JWE zip=DEF path performs unbounded DEFLATE decompression
which can lead to a DoS.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: python-authlib
Version: 0.15.4-1+deb11u1
CVE ID: CVE-2024-37568 CVE-2025-59420 CVE-2025-61920 CVE-2025-62706
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!